SEC573: Automating Information Security with Python

Highly recommended. SEC573 truly gives you the power to forensicate at scale - or hunt adversaries.

Mark Osborn, SecureWorks

SEC573 is a well-laid-out course. It's flexible for all students, and a wide range of tools and techniques are taught.

J Morrison, Aegon

Python is a simple, user-friendly language that is designed to make automating the tasks that security professionals perform quick and easy. Whether you are new to coding or have been coding for years, SANS SEC573: Automating Information Security with Python will have you creating programs that make your job easier and make your work more efficient. This self-paced course starts from the very beginning, assuming you have no prior experience or knowledge of programming. We cover all of the essentials of the language up front. If you already know the essentials, you will find that the pyWars lab environment allows advanced developers to quickly accelerate to more advanced material in the course.

All security professionals, including Penetration Testers, Forensics Analysts, Network Defenders, Security Administrators, and Incident Responders, have one thing in common: CHANGE. Change is constant. Technology, threats, and tools are constantly evolving. If we don't evolve with them, we'll become ineffective and irrelevant, unable to provide the vital defenses our organizations increasingly require.

Maybe your chosen Operating System has a new feature that creates interesting forensics artifacts that would be invaluable for your investigation, if only you had a tool to access it. Often for new features and forensics artifacts, no such tool has yet been released. You could try moving your case forward without that evidence or hope that someone creates a tool before the case goes cold...or you can write a tool yourself.

Or perhaps an attacker bypassed your defenses and owned your network months ago. If existing tools were able to find the attack, you wouldn't be in this situation. You are bleeding sensitive data and the time-consuming manual process of finding and eradicating the attacker is costing you money and hurting your organization big time. The answer is simple if you have the skills: Write a tool to automate your defenses.

Or, as a Penetration tester, you need to evolve as quickly as the threats you are paid to emulate. What do you do when "off-the-shelf" tools and exploits fall short? If you're good, you write your own tool.

SEC573 is designed to give you the skills you need for tweaking, customizing, or outright developing your own tools. We put you on the path of creating your own tools, empowering you to better automate the daily routine of today's information security professional and to achieve more value in less time. Again and again, organizations serious about security emphasize their need for skilled tool builders. There is a huge demand for people who can understand a problem and then rapidly develop prototype code to attack or defend against it. Join us and learn Python in-depth and fully weaponized.

Course Syllabus

SEC573.1: Essentials Workshop with pyWars

Overview

The course begins with a brief introduction to Python and the pyWars Capture-the-Flag challenge. We set the stage for students to learn at their own pace in the pyWars lab environment, which is 100 percent hands-on. As more advanced students take on Python-based Capture-the-Flag challenges, students who are new to programming will start from the very beginning with Python essentials.

CPE/CMU Credits: 6

Topics

Syntax

Variables

Math Operators

Strings

Functions

Modules

Control Statements

Introspection

SEC573.2: Essentials Workshop with MORE pyWars

Overview

You will never learn to program by staring at PowerPoint slides. This section continues the hands-on, lab-centric approach established at the beginning of the course. It covers data structures and more detailed programming concepts. Next we focus on invaluable tips and trick to make you a better Python programmer and to show you how to debug your code.

CPE/CMU Credits: 6

Topics

Lists

Loops

Tuples

Dictionaries

The Python Debugger

Coding Tips

Tricks and Shortcuts

System Arguments

ArgParser Module

SEC573.3: Defensive Python

Overview of SEC573.3 -- SEC573.5

NOTE: Most of this course is focused on expanding your Python skills, leveraging modules, and performing important operations used by all information security professionals. You will learn about file operations, log analysis, database operations, low-level network operations such as Raw sockets and packet parsing, high-level network operations such as HTTP and authentication, object-oriented coding, regular expressions, subprocess execution and automation and much more. All of these skills are common to every security profession and useful to everyone regardless of your discipline. Starting with this third section, the remainder of the course is broken down into three sections themed with defense, forensics, and offense.

Overview

In this section we take on the role of a network defender with more logs to examine than there is time in the day. Attackers have penetrated the network and you will have to analyze the logs and packet captures to find them. We will discuss how to analyze network logs and packets to discover where the attackers are coming from and what they are doing. We will build scripts to empower continuous monitoring and disrupt the attackers before they exfiltration your data. Forensicators and offensive security professional won't be left out because reading and writing files and parsing data is also an essential skill they will apply to their craft as well.

CPE/CMU Credits: 6

Topics

File Operations

Python Sets

Regular Expressions

Log Parsing

Data Analysis Tools and Techniques

Long-Tail/Short-Tail Analysis

Geolocation Acquisition

Blacklists and Whitelists

Packet Analysis

Packet Reassembly

Payload Extraction

SEC573.4: Forensics Python

Overview

In our forensics-themed section, we will assume the role of a forensics analyst who has to carve evidence from artifacts when no tool exists to do so. Even if you don't do forensics, you will find that the skills covered in this section are foundational to every security role. We will discuss the process required to carve binary images, find appropriate data of interest in them, and extract those data. Once you have the artifact isolated, there is more analysis to be done. You will learn how to extract metadata from image files. Then we will discuss techniques for finding artifacts in other locations such as SQL databases and interacting with web pages.

CPE/CMU Credits: 6

Topics

Acquiring Images from Disk

Memory and the Network

File Carving

The STRUCT module

Raw Network Sockets and Protocols

Image Forensics and PIL

SQL Queries

HTTP Communications with Python Built in Libraries

Web Communications with the Requests Module

SEC573.5: Offensive Python

Overview

During our offensively themed section we play the role of penetration testers whose normal tricks have failed. Their attempts to establish a foothold have been stopped by modern defenses. To bypass these defenses, you will build an agent to give you access to a remote system. Similar agents can be used for Incident response or systems administration, but our focus will be on offensive operations.

CPE/CMU Credits: 6

Topics

Network Socket Operations

Exception Handling

Process Execution

Blocking and Non-blocking Sockets

Using the Select Module for Asynchronous Operations

Python Objects

Argument Packing and Unpacking

SEC573.6: Capture the Flag

Overview

In this final section you will be placed on a team with other students. You will apply the skills you have mastered in a series of programming challenges. Participants will exercise the new skills and the code they have developed throughout the course in a series of challenges. You will solve programming challenges, exploit vulnerable systems, analyze packets, parse logs, and automate code execution on remote systems. Test your skills! Prove your might!

CPE/CMU Credits: 6

Additional Information

Laptop Required

Laptop Required

Students are required to bring their own laptop so that they can connect directly to the workshop network we will create, and thus get the most value out of the course. It is the student's responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine. All of the VMWare products are available at www.vmware.com.

Windows

You are required to bring Windows 10 (Professional), Windows 8.1 (Professional), Windows 8 (Professional), Windows 7 (Professional, Enterprise, or Ultimate), or Windows Vista (Business, Enterprise, or Ultimate) either on a real system or a virtual machine. You will need administrative access to your Windows computer and the ability to install various software packages, including Python, on that computer.

IMPORTANT NOTE: You may also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.

The course includes a VMware image file of a guest Linux system that is larger than 15 GB. Therefore, you need a file system with the ability to read and write files that are larger than 15 GB, such as NTFS on a Windows machine.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.

VMware

You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player or later or the commercial VMware Workstation 8 or later installed on your system prior to coming to class. You can download VMware Workstation Player for free, here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time- limited license number for VMware Workstation if you register for the trial on its website. No license number is required for VMware Player.

We will give you a USB full of tools to use during the class (which is yours to keep). We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.

Linux

You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

x86- or x64-compatible 2.0 GHz CPU minimum or higher

An available USB port with the ability to read an ExFat format.

4 GB or higher recommended

Ethernet adapter: Students attending a live class will require a wired connection. If your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you

15 GB available hard drive space

During the workshop, you will be connecting to one of the most hostile networks on planet earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn -- and have a lot of fun doing it!

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Security professionals who benefit from automating routine tasks so they can focus on what's most important

Forensics analysts who can no longer wait on someone else to develop a commercial tool to analyze artifacts

Network defenders who sift through mountains of logs and packets to find evil-doers in their networks

Penetration testers who are ready to advance from script kiddie to professional offensive computer operations operator

Prerequisites

A basic understanding of any programming or scripting language is highly recommended but not required for this class. SEC573 starts with the most basic fundamentals of Python programming. There is no aspect of programming or Python that must be understood before attending this course. The lab environment is self-paced and this allows students who have had some experience coding advance more quickly than those who have not. You are provided a Virtual Machine that gives you the ability to complete the labs that are in your course book after the live course or your OnDemand access has finished.

Note to Live Classroom Students

SEC573 contains more labs and exercises than even the most skilled programmer can complete in one week. Students who are brand new to the concepts should expect to complete about a third of the labs while in class and take the additional material with them in the Virtual Machine to continue their study and advance their skills. Students who already know some programming will complete a higher percentage of the exercises in class but will still take home additional material to continue learning. In the vast majority of cases, even those students who start the class with a good understanding of how to code in Python will leave with incomplete labs that they can continue to use to develop their skills. SEC573 will meet you where you are and quickly advance your skills. You will leave with new skills you can put to good use when you return to your workplace and with additional material to continue to develop your skills.

Other Courses People Have Taken

Other Courses People Have Taken

Courses that lead in to SEC573: Automating Information Security with Python:

What You Will Receive

A USB containing a virtual machine filled with sample code and working examples

A copy of Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers, T.J. O'Connor's critically acclaimed book that shows you how to forge your own weapons using the Python programming language

MP3 audio files of the complete course lecture

This Course Will Prepare You To

Modify existing open source tools to customize them to meet the needs of your organization.

Manipulate log file formats to make them compatible with various log collectors.

Write new tools to analyze log files and network packets to identify attackers in your environment.

Automate the collection of intelligence information to augment your security from online resources.

Automate the extraction of signs of compromise and other forensics data from the Windows Registry and other databases.

Write a backdoor that uses exception handling, sockets, process execution, and encryption to provide you with your initial foothold in a target environment. The backdoor will include features such as a port scanner to find an open outbound port, techniques for evading antivirus software and network monitoring, and the ability to embed payload from tools such as Metasploit.

Hands-on Training

pyWars labs: A self-paced lab environment that allows students to work through labs and exercise at their own pace. Challenges include reverse engineering malware, malware covert channels, cryptography essentials, advanced regular expressions, advanced network communications, and more.

Author Statement

"Good scripting skills are essential to professionals in all aspects of information security. Understanding how to develop your own applications means you can automate tasks and do more, with fewer resources, in less time. SEC573 is designed for network defenders, forensics examiners, penetration testers, and other security professionals who want to learn how to apply basic coding skills to do their job more efficiently. This course will help take your career to the next level by teaching you this highly sought-after skill. We will focus on the most important skills for security professionals, such as interacting with networks, websites, databases, and file systems. We will cover these essential skills as we build practical applications that you can immediately put into use in your place of work."

- Mark Baggett

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.